Tag Archives: GRC Risk Compliance Governance

2019-09-09 by: James Bone Categories: Risk Management The first ever GRC Index!

…coming this fall 2019!

TheGRCBlueBook is launching the first ever GRC Index!

A GRC Index is the first comprehensive research report on technology to manage risk that is unbiased, free of marketing hype and GRC punditry!

TheGRCBlueBook was founded on the premise of bringing transparency to the GRC marketplace. Today’s marketing on GRC solutions has become confusing as a result of excessive marketing jargon, conflicts of interest by GRC pundits and researchers who have never managed risks!

The GRC Index has been created by RISK PROFESSIONALS for RISK PROFESSIONALS because we understand you want to know how technology is used to manage your risks……not some generic solution that doesn’t help you solve your problems.

The attached document is a draft of what will become the largest collection of research on GRC technology solutions to manage a range of risks. Our goal is to become “the” trusted resources for buyers of GRC solutions, buyers of GRC companies and GRC solutions providers who all want unbiased insights on the marketplace for technology to manage risks of all kinds.

The GRC Index will become the largest source of insight into the global market for solutions to manage risks!

Coming this fall from TheGRCBlueBook! – The first GRC Index to give risk professional a real choice for selecting the tools that work best at managing your risks!

2013-04-15 by: James Bone Categories: Risk Management How to Implement and Align Technology within Your GRC Framework

by James Bone, Executive Director TheGRCBlueBook

GRC Summit panel


GRC Summit – Michael Rasmussen (GRC 20/20), Norman Marks (SAP), Lance J. Freedman (Lockheed Martin Corporation)

Norman Marks’s introduction of the Day Two keynote speaker, Michael Rasmussen demonstrated the dichotomy of the divergent views evolving in GRC.  Norman set up the introduction with an overview of the State of the Industry address.  Marks’s view is informed by developments in predictive analytics and the promise of big data. 

“GRC stands for Governance, Risk and Confusion”, half joked Marks.  “The GRC solution remains elusive as does agreement on definitions and a common taxonomy for implementing an effective framework.”  So how does one align GRC with technology? 

According to Marks, “there is no informed approach that has proved effective in deciding how to purchase a GRC solution.”  The available analyst reports from leading consulting firms were deemed to be insufficient in providing prospective users with the tools needed to make an informed choice between respective risk solutions.  “[Analyst’s] reports are based on a generic set of business outcomes intended to address the preconceived needs of risk managers”, according to Marks.  Even Michael Rasmussen admits that risk managers need more than three client references from GRC vendors.  “Do you expect to receive a bad reference from a GRC vendor?” questioned Michael.

Rasmussen has broadened his view of GRC beyond a strict definition of the features embedded in the platform to now include a focus on GRC architecture.  In Michael’s view, “GRC is about organizing the manual processes, data and accountability to solve for the complexity inherent in today’s business environment”.  

This is what Rasmussen calls “GRC3.0, Enterprise Architecture.”  Rasmussen has adopted the OCEG Red Book framework as his operating model which advocates aligning business objectives and performance with GRC.  “Effective enterprise architecture will require half a dozen or more GRC solutions in order to address the full complement of risks outlined in Michael’s framework.” 

What both evangelists agree on is that the end solutions must have a positive impact on the performance of business objectives.  One of the best lines came from Norman Marks as he described the cause of diluted successes in GRC to date.  “These random acts of improvement lead to uncoordinated progress”, according to Marks.  “The key is aligning GRC for business value from strategy to operations.”

Each of the panelists provided a comprehensive set of examples for why risk tools are needed to manage increasingly challenging regulatory and business objectives while leaving the audience with no more clarity on a prescription for moving forward.  The missing piece to the puzzle remains elusive.  How does one determine which solution is appropriate for their needs given the unique risk challenges each firm faces?

Will there be a convergence of approaches after a critical mass of firms adopts a systemic solution to manual processes and begins to see the benefit of Big Data analytics?  Will predictive analytics make today’s subjective risk assessment irrelevant?  Will a disparate set of solutions be needed, as Rasmussen suggests, once a clear data management program has been implemented with the requisite ability to query data to the business answers one is seeking?

The panelist debate prompted more questions than answers.  What is clear is a prospective buyer of these tools has very few reliable options for choosing the appropriate risk solution.  Given the number of available GRC solutions providers the odds of finding the tool that fits your need is a daunting task.  This task is made less clear by a lack of transparency into the market, generic standards for defining GRC implementation, and no professional consultative services independent of the solutions provider to develop a strategic plan before choosing the solution that addresses one’s needs.

2013-03-16 by: James Bone Categories: GRC Articles OCEG Red Book

You must be logged in to view this document. Click here to login


OCEG, the Open Compliance & Ethics Group has developed standards for the structure of GRC (Governance, Risk & Compliance).  Although initially focused on GRC as a risk practice OCEG has shifted focus to a new concept called Principled Performance.  OCEG has modified Enterprise Risk into a Principled Performance model that is inclusive of the COSO Enterprise Risk framework.  This shift in focus appears to imply that risk management is responsible for firm performance.